0xma Cyber Security Articles




April 27, 2022

SQL Injection - Example 2

In this tutorial, we will see how to perform a SQL injection by uploading a file. The web application allows the users to upload a file and once the file has been uploaded, the files are listed and available for everyone to download. While uploading a file, we will capture it in Burp Suite and make modifications to the POST request to perform a SQL injection.

This is the page that allows us to upload files.

Main page of the application.

The sample file which we will upload.

Sample text file to upload.

Let's click on "Select file".

File upload page.

Select the sample text file.

Selecting the sample text file.

Once the file is selected, click on "Submit".

Submitting the file.

This is the captured POST request that uploads the file. Note that it contains the contents of the text file and it has a parameter called "filename" which contains the name of the file "Previse.txt".

Captured request in Burp Intercept.

Once uploaded, the file gets listed which is available for everyone to download.

File list in the web application.

This is the PHP code that is used in the page that uploads the file.

PHP code of the upload page.

It is the SQL statement that is used to insert data related to the file in the database. It takes four values: filename, filesize, filedata, and username.

SQL INSERT statement that saves the properties of the file in the database.

The goal is to insert SQL injection payloads for values taken from the file and comment out the rest of the statement.

SQL injection that we try to perform.

This is the statement that we try to inject. "empty admin file" is used for fileName, "0" is used for fileSize, "" is used for fileData, and "admin" is used for $_SESSION['user']. And since we comment out the rest of the SQL statement, everything following the comment is ignored.

SQL injection when uploading a file.

Executing the SQL injection through Burp Repeater results in "Error while uploading! :(".

Error while uploading message.

However, if we remove the blank line after the contents of the file "This is a sample file", the SQL injection gets executed successfully. Note that the contents of the file is changed to "0xma.com", but it is irrelevant.

Successful SQL injection.

A new file has been added to the list with the name of "EMPTY ADMIN FILE". It means that the SQL injection was successful.

SQL injection added the filename to the list.

Let's try to insert some text "0xmacybersec" in the username field.

Inserting some text in the username field.

Send the SQL injection through Burp Repeater.

SQL injection through Burp Repeater.

We can see that the username has been added to the file list.

SQL injection added the username.

Next, let's try to get all the "usernames" from the "accounts" table. We are assuming that there is a table by the name of accounts that has a column by the name of username.

SQL injection to get usernames from the accounts table.

However, executing the SQL injection results in an error message.

Error while uploading message.

The error message is an indication that there is probably more than one user in the table. This is why it is important to limit the results to one row.

SQL injection to retrieve one username from the table.

Executing the SQL injection through Burp Repeater returns a "File successfully uploaded! :)" message.

SQL injection through Burp Repeater.

We can see that the username "0xmacybersec" is added to the list. This is the username that is registered in the web application and is saved in the database.

One username retrieved from the database.

Next, we try to get all the usernames in the database by using the "group_concat" function. This function concatenates all the usernames in the table (in this case 2) and displays them in the page.

SQL injection to display all the usernames in the table.

SQL injection to retrieve all usernames through Burp Repeater.

All the usernames in the table (in this case 2) are displayed in the list.

SQL injection displayed in the list.

Again, we are assuming that if there is a column by the name of "username" then there must be a column by the name of "password" as well. Using this SQL injection, we are trying to get a username and password separated by a ':' from the accounts table.

SQL injection to retrieve username and password.

SQL injection through Burp Repeater.

We can see that the username and password is displayed in the list.

Username and password displayed in the list.

The next goal is to try and get all the usernames and passwords in the table. In order to make it more readable we try to separate each row with a <br> tag.

SQL injection to retrieve all the usernames and passwords in the table.

SQL injection through Burp Repeater.

All the usernames and passwords are displayed in the list.

Usernames and passwords displayed in the list.

If you liked reading this article, you can follow me on Twitter: 0xmaCyberSec.